JR - Health Care Compliance Association
JR - Health Care Compliance Association
JR - Health Care Compliance Association
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
system. Other advantages include easier<br />
approach to categorizing information<br />
dentiality, integrity, and availability.<br />
access to specific information, increased<br />
and regulating access based on need.<br />
efficiency in how information is distributed<br />
throughout the system as well as<br />
near real-time trending analysis of<br />
information use and needs.<br />
The similarity between this methodology<br />
and the HIPAA requirements and<br />
consequences is striking.<br />
Understanding determining factors<br />
All information is not of equal importance<br />
to an organization. In order to<br />
remain cost-effective, they need to<br />
Recently, some health care organiza-<br />
establish any information not consid-<br />
tions have begun to realize that effective<br />
ered worthy of protection. For exam-<br />
information classification is a competi-<br />
ple, many organizations do not want to<br />
PAUL SINGLETON, CISSP<br />
tive advantage and a cornerstone of an<br />
operative compliance plan. Creating an<br />
information classification system<br />
involves a three-step process that provides<br />
the organizations with a powerful<br />
set of tools that can assist in management<br />
processes across an organization.<br />
Initially, it is important to obtain senior<br />
management agreement that informa-<br />
invest the time and resources necessary<br />
to protect the contents of its internal<br />
phone book. This information generally<br />
can be acquired by calling an internal<br />
operator.<br />
The basic information classification<br />
analysis of this example is that the<br />
information is available to anyone in<br />
the hospital without restriction, and<br />
tion is a precious corporate asset, one<br />
thus, not confidential. Likewise, there<br />
Fundamental elements<br />
The information mapping system can<br />
be as basic or complex as an organization<br />
desires. The fundamental elements<br />
however, are information classification<br />
and access management. Once these<br />
elements are in place, the opportunity<br />
for cross-organizational integration is<br />
available.<br />
that needs to be managed as diligently<br />
as all other capital. Involvement of the<br />
board of directors and senior management<br />
accord is also important to ensure<br />
that the HIPAA compliance initiative<br />
conforms to the elements of an effective<br />
compliance program under the standards<br />
provided by the Federal<br />
Sentencing Guidelines. This should be<br />
viewed as an operational initiative.<br />
is no concern over the information<br />
being modified to anyone’s detriment<br />
(integrity), and without the phone<br />
book, the organization could continue<br />
to function with no lasting harm (availability).<br />
Obviously, information that<br />
does meet any of the above criteria<br />
would be considered public and need<br />
not be restricted.<br />
Information classification systems are<br />
often viewed as clandestine strategy<br />
employed by governmental agencies or<br />
similar organizations that have intense<br />
research and development initiatives.<br />
While this is true, these systems are also<br />
used as a means of maintaining a competitive<br />
advantage over business rivals;<br />
an advantage that could be lost in the<br />
event proprietary secrets are compro-<br />
Consider engaging other management<br />
personnel in the process. Using the<br />
Chief Information Officer (CIO) as the<br />
sole sponsor, risks having the initiative<br />
viewed as an Y2K boondoggle.<br />
A first step is to determine the classification<br />
of information. This is the most<br />
important and yet simplistic phase.<br />
This identification process requires an<br />
Not all information however, falls<br />
exclusively into one of the three determining<br />
factors, and some may actually<br />
meet the test of all three. It is generally<br />
the information that meets all three criteria<br />
that is identified as critical to the<br />
organization’s functional well-being.<br />
Decision analysis information and feasibility<br />
information are two examples<br />
of valuable, highly restricted informa-<br />
mised.<br />
assessment of the type of information<br />
tion (confidentiality and integrity) that<br />
the organization creates and maintains<br />
would have a lower level of criticality<br />
The banking, insurance, defense, and<br />
technology industries have long recognized<br />
the need for a systematized<br />
as well as the various levels of proposed<br />
personnel access. This process is a function<br />
of three determining factors: confi-<br />
than patient information (confidentiality,<br />
integrity and availability).<br />
Continued on page 8<br />
7<br />
August 2002